Is Antivirus Software No Longer Effective?

I read a report today that said that 84% of all companies were running systems that were infected with some sort of malware. The conclusion on this was that traditional AV software is out of date and no longer effective at protecting against threats. Personally, I think it makes sense. I have had/seen several viruses that seemed impossible to get rid of that weren't detected by antivirus, even with fully updated definitions. What do you think? Is antivirus software no longer relevant?

Popular White Paper On This Topic

IMHO Anti-virus is part of an overall approach to limiting that chance that malware will infest a system (and, in this, I am thinking of anti-virus, trojan, worm, rootkit, etc). Firewalls, judicious use of the internet, care in installing software (especially from the internet, EVEN UPDATES) are equally important components.

It is also important to note that 'malware' has many definitions. In the extreme, unnecessary toolbars are part of that definition ... and their install easily raises the infection number.

While I have some questions about that statistic, I agree that traditional AV is way behind the times in terms of protecting systems. That doesn't mean that you should necessarily go without, but that it only improves your security posture a relatively tiny bit relative to the modern threats.

As Debra mentions, it is part of an overall security defense plan, but we really need to look at protecting systems from malware in a different way than trying to enumerate all bad things and block them.

AV software will always be reactive and behind the times. There is no way to build a predictive model for mal-ware. They can not defend against a threat until it is known to them, any more than your body can protect itself against diseases it hasn't met before.

I think the way that anti-malware software works is ever evolving, but can you imagine how bad it would be without it? As bad as things are, it would be that much worse. We use Sophos, and it catches just about everything. Although some of the bits and pieces of malware might linger, they're quarantined or otherwise contained until we can clean them up. So the malware is unable to do any harm.

In education, you have to figure that many of your users are trying to actively circumvent AV software, so the fact that we've used Sophos for 7 years without a major outbreak kind of speaks for itself. (Looking around quickly for a piece of wood on which to knock).

So, in this situation, one cannot expect a foolproof solution which can isolate a PC from malware. A few years ago, I used Norton and AVG premium version to keep my Laptop and Desktop clean from all kind of malware. They were quite effective at that time.

But now, both these AVs have disappointed me as i still find malware intrusion on my PC, when I scan with some free software, despite the fact that I am using the AV software.

When the license was over, I chose not to renew it. Instead, I removed them through CC Cleaner and now have Microsoft Security Essentials on it. It is free and I am quite happy with it. At least, if not the might malware, it helps in getting rid of that regular pop of " Your PC is unsafe- install Antivirus....something that kind of message".

So, what I want to conclude is that yes I concur with the thought of the OP and would like to add that no AV installation in this world, can keep your PC secure, especially if it connected to internet 24/7 and most of the computing activity is interfaced with internet.

Not entirely, the problem as I see it is that the malware writers have
got smart and use methods that aren't detected as a threat that an AV
program is looking for, i.e. zombie attack, data stealing, denial of
service attack. Instead they now leverage the user directly and trick
them into installing toolbars that whilst not malicious in themselves
they redirect the user to sponsored web sites or 'click-through' sites
in order to get the victim to willingly give up their information or
pay them money for some service or other that isn't what the user was
thinking it was.

It's been a while since I had to deal with a customer with an out and
out virus infection - most common malware seen now is Search Protect,
Wajam, Search Conduit, Delta Search etc... and those gets right under
the AV radar as the user agrees to install them or at least install
something that has these things bundled in with them.

I think it's high time that AV companies started taking this malware
far more seriously and if ever Malware Bytes adds in traditional AV
protection and firewall they'll have an unbeatable advantage until the
rest catch up. Suspect this is in their game plan with going to the
annual subscription model - time will tell :-)

The very fact that people have to install more than a single antimalware tool to protect themselves from malware (or feel that they have to do so), is the clearest indication that signature-based antimalware solutions are ineffective. And how can they be? They are primarly large lists of "determine that this is bad, and stop it".

The proper way to handle this problem is to establish what is good, and only allow that. For any given workstation, laptop or server, the list of things that the owner is happy to execute on that box is very tiny in comparison to the list of bad things that he or she does not want to have executed. A smaller list is easier to maintain.

Granted, there are many ways to implement application white-listing, and not all of those ways are good (especially if you are maintaining multiple systems), so we need to see some good, cost-effective approaches, but that direction is much better than the traditional AV route.

Selinux is a fairly good option. On distributions that support it the
rules are part of the updates and barely noticeable when updated
correctly. OTOH a good administrator with a combination of time and
skills can further refine the rules.

Printer drivers were once installed in a similar fashion on Windows. You
received a printer and the "rules" for it's operation from the
manufacturer. While this model needs to be tweaked, it could be a start
for similar functionality to selinux on Windows.

RE: SELinux
While you will find mention over and over that the SELinux code has been reviewed carefully, it's much harder to find someone who says they have actually fully reviewed the SELinux code base.

Since Debian is a fairly trusted distro with a huge comminity of developers, we can use it as a possible best case.

Russell Coker ported and packaged SE Linux for Debian, said: "It doesn't seem plausible that there would be anything inappropriate in patches publicly submitted by the NSA.

This indicated he did not do a full review of the code

Brian May backported Russell's work to Woody, a Debian release made in July 2002. said: "I looked into SE Linux some years ago, but ran out of time to really get into it." Another gatekeeper who didn't do much.

Many argue that it must be secure because the NSA would be fools to put a back door in something with their fingerprints all over it. Others argue that SELinux must be secure because anyone finding a problem would be famous for discrediting the NSA. These are all fine reasons to assume it is secure. Yet, for me, the re-assurance that SELinux is secure doesn't feel like enough any more.

I'd like some actual evidence of an audit of the SELinux code base. Does anyone have such info? Or is this all hearsay and assumptions based on best guesses of what people think is true?

There are quite a few modifications with selinux, from a new libraries
to a custom sshd server to exec-shield. It's confusing as heck. As well,
the code is awful and never given any thought to performance.

A review would be expensive and to my knowledge never attempted. (see above)

In my opinion AV is essential, just not the first line of defense anymore.
So here is my highly opinionated list in priority.
1. Reputation of www hosts, at the end point and perimeter
2. 4th or 5th gen Fire Walling of ports and protocols at the end point and perimeter
3. Signature based IPS at the end point and perimeter
4. Anomaly detection IDS at the end point and perimeter
5. Process or executable reputation - hash aware at the end point
6. Process behavior monitoring and filtering at the end point
7. Custom application and device controls - who or what can launch what from where at the end point - lockdown devices or exclude non approved storage
8. Posture checking - patching, registry tuning, network location awareness
9. Backup and Restore utility
10. Anti virus anti malware.
11. Data Loss prevention - template and strategy
12. Repoting and mitigation

William, I believe that things are exactly as you have stated: Everyone is sure that someone *else* has investigated it thoroughly, because, well, I can't imagine that someone wouldn't.

I doubt that the NSA really cares that people don't trust it. Their goal is undermining trust -- ostensibly that of others, but if you do something long enough, your scope of operation can broaden imperceptibly.

I don't happen to know anyone who has actually reviewed the code for SELinux.

Anyone in the past 15 years who believed that a single piece of software would provide adequate protection against the onslaught has been living in a fantasy world. Good security has always been a multi-faceted, multi-level process. You need firewalls, proxy servers, anti-virus software, malware detection, root kit detectors, etc., along with strong/multiple passwords and "safe computing".

Assuming that we are simply discussing end-point protection, then all we really need is:
-- Firewalls (something to inspect and restrict traffic inbound and outbound)
-- Something to ensure that only approved applications run
-- Something that ensures that the code of your operating system is up to date
-- Strong passwords and password policy
-- User education to avoid undermining any of the above.

If only known software can run on the machine, then AntiVirus, Malware detection, and root kit detection is out the door.

If you cannot ensure that only a known list of processes or applications is allowed to run, then you need the 9 anti-xxx utilities to address all the varied means by which bad code runs. That is simply not sustainable...

Define "Security". If you mean a bullet-proof system that is impervious to any and all attack vectors, you are right. However, that's never been (nor will it ever be) possible. Doing all these things decreases the probability that you will be compromised. That's all.

My only point was that it's not realistic to expect a single piece of software to protect you from all of this.

Toolbox security-general-l
Reply from Hank Arnold on May 15 at 5:48 AM
Define "Security". If you mean a bullet-proof system that is impervious to any and all attack vectors, you are right. However, that's never been (nor will it ever be) possible. Doing all these things decreases the probability that you will be compromised. That's all.

My only point was that it's not realistic to expect a single piece of software to protect you from all of this.

So true - the most advanced and all-encompassing security system can
be turned to so much fresh air by the user !! All too often when
dealing with infected systems I've heard "I though my AV would protect
me no matter what I clicked on", not helped by advertising claims by
AV companies that would imply that they have your system secure as
it's possible to be - which the user takes as 'cast iron defence'.

Education is the key but there are always going to be those who will
not listen / think they know better than you / new to computers and
'nobody told me' <sigh> Still, keeps the bills paid for the IT tech so
not all bad news but I have been switching suitable users to Ubuntu
instead and since then they've had no problems whatsoever - cutting my
own throat ? I don't see it as that as there's always other things
that they need and they know support is just a call away :-)

What we need is a measure of sufficiency. I think we all have a
satisfactory experience managing sensitive paper files inside our
offices, where keys to the doors are managed as one would manage an ACL.
Additionally, sometimes we manage the locks on the file cabinets
themselves, but typically the risk of compromise isn't sufficiently high
to justify the hassle.

One thing we do have in our physical offices is a set of visual and
aural cues that tell us who's in the office suite with us while the door
is unlocked. When it comes to our online facilities we need workable
substitute for those visual and aural cues.

When our digital filing cabinets are as safe as our paper filing cabinets, then we're there.

Ok, so the average office building as a secure entry system - key fobs and the like. It has cameras to record everyone entering and leaving. There are locks on the doors to rooms that store sensitive information and locks on the filing cabinets.

To me that sounds like secure entry system = strong authentication, cameras = intrusion detection, locks on the door = firewall, lock on cabinets = antivirus. So, apparently the correct model is multiple layers of security that when combined create a reasonable level of security. Just and with filing cabinets, things can still be taken although it's much easier for an insider than an outside thief.

If the comparison holds true, then yes, we are already there. The problem is that when someone looses their key card, cameras aren't monitored, door locks are of low quality, or cabinet locks are left unlatched it leaves your data vulnerable. That being the case, close attention to the entire security infrastructure and selecting the best security devices available becomes vitally important.

From this we can safely conclude that antivirus is still effective in the role it was designed for as long as it is of a quality build, stays updated, and is only one part of the security model which should include other high quality tools which are monitored, maintained, and well positioned.

AV is a try to blacklist unknown and unwanted behavior. As you cannot identify that well in an emerging population it will always have a lot of misses.
The better approach would be a whitelist approach only allowing approved known ones.

That will need a complete turn-over in the way of thinking and with that building software and implementations. Not an easy process a most wan to do working according some list.

It is the same as physical access management. Why is the access done on the basis of personal badges and defined isolated area's of classified higher risks. The physical environment is easier to understand than the to be imagined one.

Hi there members, some great ideas from all environments, and yes I do agree, a first line of defense is more important than having nothing.

Change Control processes, Configuration Management processes, and Release Management processes can also be seen as critical support and must have for each technical environment.

A clear defined workstation stack which forms part of a directory structure also assist greatly. Identifying all approved protocols on the LAN infrastructure also assist. Firewalls should deny any other un-approved protocols. Internet access must only be allowed to the end user who REALLY require it for their daily work, and not Internet for all. A policy must be signed by the end user informing them on a quarterly basis of the security policy and what is allowed and what not.

Control Compliance software that can be centrally managed, will also assist the Microsoft and AV update processes not taking place in the field, also identifying other unseen vulnerabilities.

THIS IS IN SHORT A COUPLE OF HIGH END POINTERS TO HELP ASSIST, BUT LASTLY AND VERY IMPORTANT, A COMPLETE APPROVED ROMOTE DESKTOP MANAGEMENT SOLUTION, which will assist in actively fighting attacks on desktops that fall out of the domain infrastructure, or new desktops that join the domain without being configured to an approved stack.

NMS tools (HP, FLUKE, AND MANY other) can and will also assist with identification of attacks, but again, all protocols must be known on the LAN environments being managed, otherwise it will become a one for all and all on one.

So if you don't use a malware detection package, how do you know that you are not infected?
Malware is not restricted to IE and Outlook. I run malware defenses at several layers, and see quite a number of detections.

If you can isolate your OS system from potential threats than you have your answer.
When needed put the things like IE/Outlook in a VM-box never let those updates go outside.
Throw away every VM environment that could be compromised/infected.

I congratulate you on your apparent success in avoiding a virus. Of course, how do you know you aren't affected?

Your comment , though, that all you have to do is not use IE and Outlook is simplistic and totally misleading. If you think using another browser or e-mail client will protect folks, you are very, very, very wrong. In the vast majority of cases, it's not the software that failed. The problem usually lies between the keyboard and the back of the chair.

Hank, you are very right with your analyses of a problem.
Do you have a proposal for some AV-tool or malware detection for the mentioned area?
(just kidding....)
The problem of knowing not being infected is the most difficult one to answer. You only knows what your are knowing not what you do not know. Are you sure your routers processors software or whatever, does not contain something that should not be there or should be there.
As it is delivered to you are trusting that?

Routers as just some computers running code. Mostly Linux/Unix based. And yes they can be hacked. The root-kit ... root is coming from that environment. The first environment hacking was teached. Having access to all your data that you get your hands on that location.
It is "the man middle" position.

Do not get paranoid when you are running a grocery. But if you some merchandry in technical stuff in some area it to think about it.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.